Measuring and Analyzing Typosquatting Toward Fighting Abusive Domain Registrations

Inexpensive and simple domain name registrations foster a wide variety of abuse. One of the most common abusive registration practices is typosquatting, where typosquatters register misspelled variants of existing domain names to profit from users' typing mistakes. Making the matter worse, typosquatters frequently rely on advertisement networks to monetize user traffic, often exposing users to malicious and illicit content. Leveraging multifaceted large-scale measurement infrastructures, we demonstrate in this dissertation that typosquatting is a widespread issue which plays an important role in concert with other illicit traffic sources in exposing users to malice. Based on our measurement studies, we show how we can develop detection tools and leverage registration policies to reduce typosquatting and other abusive domain registrations.

Supporting our assertions about the extent and abuse of typosquatting, we design and implement three measurement infrastructures that lead to novel findings about typosquatting and related malicious domain registrations. First, to understand the extent of typosquatting, we study typosquatters who target less popular domain names. We find millions of typosquatting domains missed by previous research. Building on our findings, we create a classifier which can decide if a potentially typosquatting domain name is truly typosquatting or if it is just accidentally close to a target domain.

Second, we study how typosquatters send users to advertisement networks for profit. To gain a deeper understanding of the advertisement infrastructure redirecting users to malicious landing pages, we build a system that can emulate different types of users, can understand cloaking and blocking behavior and can reconstruct redirection chains. We find that typosquatters often share monetization strategies with ad-based URL shortening services and illicit movie streaming sites by redirecting users to the same malevolent landing pages. We also observe that miscreants differentiate users based on the device used and that using too few IP addresses can significantly decrease the number of abusive pages discovered. We develop a classifier, not specific to typosquatting and based only on features related to the redirection chain traversed by users, that can be leveraged to show warnings to users when a redirection is likely dangerous.

Furthermore, as DNS abuse is not specific to the HTTP protocol, we study how users' private emails are exposed to typosquatters. We find that 1,211 typosquatting domains receive in the vicinity of 800,000 emails per year and that millions of registered typosquatting domains have MX records pointing to only a handful of mail servers potentially enabling the collection of emails on a larger scale.

Finally, we develop a policy analysis framework based on the domain registration ecosystem finding that domain registration policies could have an essential role in complementing current detection based approaches to fight typosquatting and malicious domain registrations.